b'                                      TVA RESTRICTED INFORMATION\n\n\n\n\nMemorandum from the Office of the Inspector General\n\n\n\nSeptember 4, 2014\n\nDiane T. Wear, WT 4B-K\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 AUDIT 2013-15106 \xe2\x80\x93 REVENUE BILLING INVOICE\nPREPARATION\n\n\n\nAttached is the subject final report for your review and final action. Your written\ncomments, which addressed your management decision and actions planned or taken,\nhave been included in the report. Additionally, based on the actions taken on\nRecommendations 1 and 3, no further action is necessary, and we have closed these\nrecommendations. Please notify us when final action is complete on Recommendations 2\nand 4. In accordance with the Inspector General Act of 1978, as amended, the Office of\nthe Inspector General is required to report to Congress semiannually regarding audits that\nremain unresolved after 6 months from the date of report issuance.\n\nInformation contained in this report may be subject to public disclosure. Please advise us\nof any sensitive information in this report that you recommend be withheld.\n\nIf you have any questions or wish to discuss our findings, please contact Melissa M.\nNeusel, Audit Manager, at (865) 633-7357 or Rick C. Underwood, Director, Corporate\nGovernance and Finance Audits, at (423) 785-4824. We appreciate the courtesy and\ncooperation received from your staff during the audit.\n\n\n\n\nDavid P. Wheeler\nDeputy Assistant Inspector General\n (Audits)\nET 3C-K\n\nMMN:BSC\nAttachment\ncc: See page 2\n\n\n\n\n      WARNING: This document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted,\n      distributed, and disposed of in accordance with TVA policy relating to Information Security. This information\n               is not to be further distributed without prior approval of the Inspector General or his designee.\n\n                                      TVA RESTRICTED INFORMATION\n\x0cDiane T. Wear\nPage 2\nSeptember 4, 2014\n\n\n\ncc (Attachment):\n     George T. Ballew, MR 5F-C\n     Leslie C. Bazzoon, WT 4B-K\n     Dwain K. Lanier, MR 3K-C\n     Bryan L. Johnson, WT 4B-K\n     William D. Johnson, WT 7B-K\n     Justin C. Maierhofer, WT 7B-K\n     Justin M. Mitchell, WT 4B-K\n     Richard W. Moore, ET 4C-K\n     R. Windle Morgan, WT 4DK\n     Daniel P. Pratt, SP 6A-C\n     Sidney F. Schaad, SP 5A-C\n     John M. Thomas III, MR 6D-C\n     TVA Board of Directors\n     Jacinda B. Woodward, MR 3H-C\n     OIG File No. 2013-15106\n\n\n\n\n                          TVA RESTRICTED INFORMATION\n\x0c                               TVA RESTRICTED INFORMATION\n\n\nOffice of the Inspector General                                                   Audit Report\n                                                                               To the Vice President and\n                                                                               Controller, Corporate\n                                                                               Accounting\n\n\n\n\nREVENUE BILLING\nINVOICE PREPARATION\n\n\n\n\nAudit Team                                                                                                     Audit 2013-15106\nMelissa M. Neusel                                                                                             September 4, 2014\nMichael P. Anderson\nJennifer R. Torregiano\n             WARNING: This document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted,\n             distributed, and disposed of in accordance with TVA policy relating to Information Security. This information\n                     is not to be further distributed without prior approval of the Inspector General or his designee.\n\n\n                             TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                Audit Report\n\n\n\n\nABBREVIATIONS\nBDI                        Billing Data Interchange\nFY                         Fiscal Year\nFCA                        Fuel Cost Adjustment\nIEE                        Itron Enterprise Edition\nIT                         Information Technology\nkW                         Kilowatt\nkWh                        Kilowatt Hours\nLPC                        Local Power Company\nMDM                        Meter Data Management\nOIG                        Office of the Inspector General\nSOX                        Sarbanes-Oxley\nSPP                        Standard Programs and Processes\nTVA                        Tennessee Valley Authority\n\n\n\n\nAudit 2013-15106\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                                                       Audit Report\n\n\n\n\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY ................................................................................ i\n\nBACKGROUND................................................................................................ 1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ..................................... 2\n\nFINDINGS ......................................................................................................... 2\n    WHOLESALE INVOICES CALCULATED CORRECTLY ................................ 3\n\n    CONTROLS TO PREVENT/DETECT LPC WHOLESALE\n    ERRORS ADEQUATE .................................................................................... 5\n\n    ACCEPTABLE IT GENERAL AND APPLICATION LEVEL\n    CONTROLS OVER ORACLE UTILITIES ........................................................ 6\n\nRECOMMENDATIONS .................................................................................. 8\n\n\nAPPENDICES\nA. OBJECTIVES, SCOPE, AND METHODOLOGY\n\nB. LETTER DATED AUGUST 28, 2014, FROM DIANE T. WEAR TO DAVID P.\n   WHEELER\n\n\n\n\nAudit 2013-15106\n\n                                      TVA RESTRICTED INFORMATION\n\x0c                          Audit 2013-15106 \xe2\x80\x93 Revenue Billing\n                                  Invoice Preparation\n                               EXECUTIVE SUMMARY\n\n    Why the OIG Did This Audit\n\n        The Tennessee Valley Authority (TVA) sells power at wholesale rates to\n        155 local power companies (LPC), who then resell the power to their end-\n        use customers at retail rates. TVA\xe2\x80\x99s total electricity sales were\n        $10.8 billion in fiscal year 2013, and revenue from the LPCs was\n        $9.4 billion or 87 percent.\n\n        TVA bills the LPCs based on meter readings for demand (kilowatt [kW])\n        and energy (kilowatt hours [kWh]) amounts delivered. The majority of the\n        total amount billed on each LPC invoice is demand and energy charges,\n        which consists of two components: (1) monthly kW and kWh totals\n        comprised of daily meter readings multiplied by (2) rates for the various\n        classifications (e.g., residential and commercial/industrial). TVA utilizes\n        the software package Oracle Utilities, also referred to as Lodestar, to\n        produce the wholesale invoices.\n\n        The Office of the Inspector General (OIG) included a review of the\n        Revenue Billing invoice preparation process on its annual audit plan\n        because of the significance of LPCs revenue to TVA. We audited the\n        Revenue Billing invoice preparation process for the period April 1, 2011,\n        through July 31, 2013, to determine if:\n\n        1. Wholesale invoices were calculated correctly.\n\n        2. Controls to prevent/detect invoice errors were adequate.\n\n        3. Oracle Utilities had appropriate/adequate information technology (IT)\n           general and application level controls.\n\n        Our audit focused on the Revenue Billing and Power Billing departments\xe2\x80\x99\n        roles and responsibilities in the revenue billing process. The Power Billing\n        department is responsible for the validity of the demand and energy\n        readings in Oracle Utilities. The Revenue Billing department is\n        responsible for the accuracy and completeness of amounts invoiced.\n\n\n\n\nAudit 2013-15106                                                               Page i\n\n                            TVA RESTRICTED INFORMATION\n\x0c                          Audit 2013-15106 \xe2\x80\x93 Revenue Billing\n                                  Invoice Preparation\n                               EXECUTIVE SUMMARY\n\n    What the OIG Found\n\n        Our audit of TVA\xe2\x80\x99s Revenue Billing invoice preparation process for LPCs\n        during the period April 1, 2011, through July 31, 2013, found:\n\n        1. Wholesale invoices were calculated correctly.\n\n        2. Controls to prevent/detect invoice errors were adequate.\n\n        3. Oracle Utilities had appropriate/adequate IT general and application\n           level controls.\n\n        However, we identified some minor issues where changes could\n        strengthen and/or improve the revenue billing process and may decrease\n        the likelihood of errors or adjustments.\n\n        Per TVA personnel, beginning in January 2013 monthly meetings between\n        the various departments involved with the invoicing process have been\n        conducted to review adjustments and the higher risk areas to improve the\n        process. As of July 31, 2013, the number of adjustments made by\n        Power Billing and Revenue Billing had decreased 48 percent from fiscal\n        year 2012.\n\n    What the OIG Recommends\n\n        We recommend TVA\xe2\x80\x99s Vice President and Controller, Corporate\n        Accounting, and the Senior Vice President, Transmission, coordinate as\n        appropriate to address the following recommendations:\n\n        1. Maintain e-mail approvals that document the rate change control was\n           performed, as required for Sarbanes-Oxley (SOX) testing, either on the\n           share drive with appropriate restricted access or hardcopy.\n\n            TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management agreed to\n            maintain e-mail approvals on the Revenue share drive that documents\n            the rate change control was performed. E-mail documentation was\n            traditionally stored in this manner for wholesale rate changes and, as\n            of March 2013, the monthly rate change e-mails are stored in this\n            manner as well. (See Appendix B for management\xe2\x80\x99s complete\n            response.)\n\n            Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s\n            response and no further action is necessary.\n\nAudit 2013-15106                                                             Page ii\n\n                            TVA RESTRICTED INFORMATION\n\x0c                           Audit 2013-15106 \xe2\x80\x93 Revenue Billing\n                                   Invoice Preparation\n                                EXECUTIVE SUMMARY\n\n        2. Periodically review Power Billing\xe2\x80\x99s controls to determine if they address\n           atypical situations and/or could be strengthened to increase prevention\n           or detection of errors and reduce adjustments.\n\n            TVA Management\xe2\x80\x99s Comments \xe2\x80\x93TVA management stated the Meter\n            to Cash team that meets on a monthly basis discusses each of the\n            prior month and pending adjustments and looks at the root cause of\n            each to determine if the controls in place are working properly or need\n            to be modified. Power Billing and Revenue\xe2\x80\x99s controls are being\n            evaluated and strengthened when needed through this team effort.\n            Additionally, the Power Billing group has internal team meetings\n            monthly to discuss and brainstorm around any metering issues that\n            have come up in the past month. Beginning with the roll forward\n            testing period in October 2014, all SOX controls for Revenue and\n            Power Billing have moved to a management testing model conducted\n            by the Senior Program Manager, Revenue Quality. This will ensure\n            that each control for both groups is being monitored internally and\n            updated or revised as needed. (See Appendix B for management\xe2\x80\x99s\n            complete response.)\n\n            Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG acknowledges and concurs the\n            monthly Meter to Cash meetings are beneficial; however, this is a\n            reactive control because issues are addressed only after they have\n            occurred. The OIG concurs with TVA management\xe2\x80\x99s plans for\n            implementing the management testing model for the SOX controls by\n            the Senior Program Manager, Revenue Quality, where each control is\n            monitored and updated or revised as needed.\n\n        3. Implement automated controls requiring appropriate approvals for\n           adjustments based on established threshold amounts.\n\n            TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management stated that as of\n            May 2014, TVA has automated invoice adjustments associated with\n            the revenue for kW and kWh. The automation should alleviate the\n            concerns around the tiered review process since the majority of\n            adjustments (dollar and volume related) will now be handled\n            systematically. The current tiered review process will stay in place for\n            any one-off adjustments that have to be made manually. (See\n            Appendix B for management\xe2\x80\x99s complete response.)\n\n            Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s\n            actions and no further action is necessary.\n\n\nAudit 2013-15106                                                              Page iii\n\n                             TVA RESTRICTED INFORMATION\n\x0c                          Audit 2013-15106 \xe2\x80\x93 Revenue Billing\n                                  Invoice Preparation\n                               EXECUTIVE SUMMARY\n\n        We recommend TVA\xe2\x80\x99s Vice President and Controller, Corporate\n        Accounting, and the Vice President, Pricing and Contracts, coordinate as\n        appropriate, and:\n\n        4. Automate the transmission of rate changes to Oracle Utilities from\n           source systems. If automating transmission of rate changes is not\n           considered cost beneficial, implement one common set of rate\n           classification descriptions to increase the efficiency of updating the\n           rates as well as reduce the risk of manual input errors.\n\n            TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management agreed to move\n            forward with the automation of rate changes to Lodestar from the\n            source system. Automation of this process was being explored prior to\n            the OIG audit, and Revenue Billing has participated in a working\n            discussion with the IT department on how to attain this goal. The new\n            process should be implemented no later than December 2014. (See\n            Appendix B for management\xe2\x80\x99s complete response.)\n\n            Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s\n            planned actions.\n\n\n\n\nAudit 2013-15106                                                               Page iv\n\n                             TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                            Audit Report\n\n\nBACKGROUND\nThe Tennessee Valley Authority (TVA) is primarily a wholesaler of power. TVA\nsells power to distributors (i.e., local power companies [LPC]) who then resell the\npower to their end-use customers at retail rates. TVA had wholesale power\ncontracts with 155 LPCs as of September 30, 2013. TVA\xe2\x80\x99s total electricity sales\nwere $10.8 billion during fiscal year (FY) 2013, and revenue from the LPCs was\n$9.4 billion, or 87 percent. The remaining 13 percent came from TVA\xe2\x80\x99s sales of\npower to other entities (e.g., directly served customers and federal agencies).\n\nTVA bills LPCs based on meter readings for demand (kilowatt [kW]) and energy\n(kilowatt hours [kWh]) amounts delivered to the LPCs. The majority of the total\namount billed on each LPC invoice is demand and energy charges, which\nconsists of two components: (1) monthly kW and kWh comprised of daily meter\nreadings multiplied by (2) rates for the various classifications (e.g., residential\nand commercial/industrial).\n\nTo produce the wholesale invoices, TVA utilizes the software package Oracle\nUtilities, also referred to as Lodestar. The revenue billing invoice process begins\nwith kW and kWh meter readings being imported into Oracle Utilities where\nwholesale rates are applied to the kW and kWh amounts along with the\ncalculation of charges and credits to generate the wholesale invoices and ends\nwhen the LPCs are electronically notified the invoice has been generated. In\naddition to the wholesale invoices, Oracle Utilities generates Power Billing\nSummary Reports, which consists of the numerous kW and kWh readings\ncollected throughout the month. Oracle Utilities also creates the respective\nentries that are input into TVA\xe2\x80\x99s Enterprise Financial Management System\n(general ledger). Oracle Utilities is considered an in-scope application for\nSarbanes-Oxley (SOX) compliance, which causes it to be tested on a yearly\nbasis for various information technology (IT) general controls.\n\nSeveral groups within TVA are tasked with ensuring the monthly invoices are\ncomplete and issued in a timely and accurate manner, including Revenue Billing,\nPower Billing, Pricing and Contracts, Metering Services, Customer Resources,\nand Transmission. Our audit focused on the Revenue Billing and Power Billing\ndepartments\xe2\x80\x99 roles and responsibilities in the revenue billing process. The Power\nBilling department is responsible for identifying potential issues in the daily meter\ndata imported into Oracle Utilities and creating the Power Billing Summary\nReports (analysis and validity of the demand and energy readings). The\nRevenue Billing department is responsible for ensuring the various rates are\ncorrect within Oracle Utilities and that invoices are generated for all customers\nfrom Oracle Utilities on a timely basis (accuracy and completeness of amounts\ninvoiced).\n\nDuring our audit TVA reorganized and the Power Billing and Revenue Billing\ndepartments, which were under one manager in the Financial Services\norganization, were separated into two organizations. Power Billing is now part of\nAudit 2013-15106                                                                Page 1\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                           Audit Report\n\n\nthe Right-of-Way and Meter Management organization, under the Transmission\ndivision. Revenue Billing is now called \xe2\x80\x9cRevenue\xe2\x80\x9d and is part of the Corporate\nAccounting organization under the Financial Services division; however, we refer\nto this department as \xe2\x80\x9cRevenue Billing\xe2\x80\x9d in this report.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nThe Office of the Inspector General (OIG) included a review of the Revenue\nBilling invoice preparation process on its annual audit plan because of the\nsignificance of LPCs revenue to TVA. We audited Revenue Billing\xe2\x80\x99s invoice\npreparation for the period April 1, 2011, through July 31, 2013, to determine if:\n\n1. Wholesale invoices to LPCs were calculated correctly.\n\n2. Controls to prevent/detect invoice errors were adequate.\n\n3. Oracle Utilities had appropriate/adequate IT general controls.\n\nOur scope included verifying certain rate components and calculations for a\nrandom sample of 20 out of 4,340 wholesale invoices billed to 19 of the 155 LPCs\nduring the audit period. We also obtained the invoice adjustment file for the audit\nperiod and tested a judgmental sample of 20 out of 209 data records that were the\nresponsibility of the Revenue Billing and Power Billing departments. Our scope\ndid not include testing the accuracy of the demand and energy meter readings\nimported into Oracle Utilities.\n\nWe also reviewed the IT general and application level controls associated with the\ninvoice preparation process except for controls related to System Planning/Risk\nAssessment. These controls were reviewed by the OIG in Audit 2014-15059,\nFederal Information Security Management Act, which identified issues TVA\nmanagement has indicated they will be addressing. A complete discussion of our\naudit objectives, scope, and methodology are included in Appendix A.\n\nFINDINGS\nOur audit of TVA\xe2\x80\x99s Revenue Billing invoice preparation process for LPCs during\nthe period April 1, 2011 through July 31, 2013 found:\n\n1. Wholesale invoices were calculated correctly.\n\n2. Controls to prevent/detect invoice errors were adequate.\n\n3. Oracle Utilities had appropriate/adequate IT general and application level\n   controls.\n\nWe identified some minor issues where we believe changes could strengthen\nand/or improve the revenue billing process and may decrease the likelihood of\nAudit 2013-15106                                                                Page 2\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                            Audit Report\n\n\nerrors or adjustments. The following provides a detailed discussion of our\nfindings.\n\nWHOLESALE INVOICES CALCULATED CORRECTLY\nTo obtain a better understanding of the revenue billing process as well as the\nbusiness controls identified by management, we obtained the SOX controls and\nresults of TVA\xe2\x80\x99s SOX testing. To determine if LPC wholesale invoices were\ncalculated correctly, we tested a sample of 20 invoices billed to LPCs during the\naudit period. We found all invoices reviewed were calculated correctly; however,\nwe identified minor issues where changes could strengthen the revenue billing\nprocess. Some of these issues were discussed with TVA Management; others\nare discussed in more detail below. Specifically, we found:\n\n\xef\x82\xb7   The SOX business controls over the invoice preparation process appeared to\n    be properly designed to detect and prevent errors and help ensure the\n    wholesale invoices were calculated correctly. However, except for testing\n    one specific SOX control, we relied on our sample testing to identify controls\n    that were not functioning properly.\n\xef\x82\xb7   Demand and energy rates tested in our sample were accurate, indicating the\n    related controls functioned properly; however, our testing of the SOX control\n    found required e-mail approvals could not be located for 8 of 18 rate changes.\n    Also, we found the \xe2\x80\x9cstandard product\xe2\x80\x9d rates are manually updated in Oracle\n    Utilities.\n\nCredits and other charges tested in our sample were accurate and calculated\ncorrectly, indicating the related controls functioned properly. Details of testing\nperformed and our results follow.\n\nSOX Business Controls Appear Adequate\nTVA\xe2\x80\x99s SOX group provided a listing of 24 business controls applicable to the\nwholesale invoice billing process during the audit period. We noted there were\n15 controls identified by TVA as \xe2\x80\x9ckey\xe2\x80\x9d in FY2013, and the status of 3 of these\ncontrols was changed to being identified as a \xe2\x80\x9ckey\xe2\x80\x9d control during the audit period\nbecause of noted deficiencies. However, there were no outstanding deficiencies\nassociated with the 24 SOX controls as of our report date.\n\nBased on our understanding of the invoice preparation process and controls, it\nappears the SOX business controls were designed to detect and prevent errors\nand ensure the wholesale invoices were calculated correctly. However, except\nfor testing the specific SOX control for updating rate changes (discussed below),\nwe relied on our sample testing of invoice accuracy and adjustments to identify\ncontrols that were not functioning properly.\n\n\n\n\nAudit 2013-15106                                                                Page 3\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                                               Audit Report\n\n\nTested LPC Wholesale Demand and Energy Rates Accurate\nTVA provides wholesale service to the 155 LPCs under three wholesale rate\ndesigns, referred to as \xe2\x80\x9cstandard products\xe2\x80\x9d (i.e., Time of Use, Modified Time of\nUse, and Seasonal Demand and Energy), which consisted of 142 different kW\nand 238 different kWh rates during the audit period. \xe2\x80\x9cStandard product\xe2\x80\x9d charges\nare calculated by multiplying the total kW and kWh amounts used during the\nmonth by the appropriate kW or kWh rate. In addition, TVA has other products\nreferred to as \xe2\x80\x9cprice feed products.\xe2\x80\x9d The kW rates for these products are based\noff of the Transmission Service Guidelines and the kWh rates are based off of\nhourly prices fed into Oracle Utilities. We randomly selected a sample of\n20 wholesale invoices out of the population of 4,340 invoices (0.5 percent). We\nattempted to verify and/or recalculate all kW and kWh rates in our sample which\ncontained:\n\n\xef\x82\xb7    82 different kW rates, consisting of:\n      \xef\x80\xad 78 \xe2\x80\x9cstandard product\xe2\x80\x9d rates.\n      \xef\x80\xad 4 Start-up and Testing Power \xe2\x80\x9cprice feed product\xe2\x80\x9d rates.\n\xef\x82\xb7    169 different kWh rate components, consisting of:\n     \xef\x80\xad 132 \xe2\x80\x9cstandard product\xe2\x80\x9d rates.\n     \xef\x80\xad 4 Start-up and Testing Power \xe2\x80\x9cprice feed product\xe2\x80\x9d rates.\n     \xef\x80\xad 33 fuel rates associated with energy.\n\xef\x82\xb7    16 different fuel cost adjustment (FCA) rates.\n\nAll demand and energy rates as well as the FCA rates on invoices tested were\naccurate.\n\nWhile no errors were noted in the rates for the invoices tested, we did note the\nProgram Manager of Revenue Billing must manually convert and upload new\nrate information received from Pricing and Contracts to Oracle Utilities annually.\nPricing and Contracts uses a different naming convention for the \xe2\x80\x9cstandard\nproducts\xe2\x80\x9d than the naming convention Oracle Utilities uses to generate the\nwholesale invoices.\n\nAfter the new rates have been uploaded, the Program Manager performs a final\nreview of the rates in the system and submits an e-mail approval back to the\nmanager. We tested this manual SOX control by requesting copies of the e-mail\napprovals for the 2 base rate changes1 and the 16 monthly FCA rates applicable\nto our sample of 20 invoices. Revenue Billing provided e-mail approvals for the\n2 base rate changes and 8 of the 16 monthly FCAs. According to Revenue\nBilling personnel, the 8 e-mail approvals could not be located because the\nperson, who was no longer at TVA, did not keep the e-mails on the same share\ndrive as the other e-mail approvals.\n\n1\n    The base rate changes occurred in April 2011 (when TVA switched from \xe2\x80\x9cend-use\xe2\x80\x9d billing to \xe2\x80\x9cwholesale\xe2\x80\x9d\n    billing) and October 2011 (the adjustment for FY2012).\nAudit 2013-15106                                                                                   Page 4\n\n                                   TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                          Audit Report\n\n\nTested LPC Wholesale Credits and Nonenergy/Nondemand Charges\nAccurate\nTo verify the credits and charges other than demand or energy on the 20 sample\ninvoices, we obtained supporting documentation as necessary and recalculated\nthe amounts billed. Our testing results showed credits and charges other than\ndemand and energy in our sample were accurate and calculated correctly,\nindicating the related controls functioned properly.\n\nCONTROLS TO PREVENT/DETECT LPC WHOLESALE INVOICE\nERRORS ADEQUATE\nTo further determine if the controls to prevent and/or detect errors in the LPCs\nwholesale invoices were adequate, we tested a sample of 20 data records, which\nconsisted of 48 adjustments, and analyzed the total number of adjustments made\nby Revenue Billing and Power Billing during the audit period.\n\nAdjustments Made Accurately, but Strengthening Controls Could Decrease\nNumber of Adjustments\nWe obtained the adjustment file for the audit period which contained 209 data\nrecords within our audit scope. Each of the data records represented one or\nmore adjustments associated with one or more identified errors. We selected a\nrandom sample of 20 out of the 209 data records (10 percent) consisting of\n6 Revenue Billing data records and 14 Power Billing data records with 48 total\nadjustments. We tested the sample and reviewed the SOX testing results for the\napplicable controls to determine if controls to prevent and/or detect adjustments\nwere adequate.\n\nWe found for 15 of the 20 sampled data records, which consisted of\n20 adjustments, controls were adequate and/or TVA proactively took action to\nstrengthen/improve the control that allowed an exception to occur. For these\n15 data records, we believe no additional actions by TVA are necessary.\n\nFor the remaining 5 sampled data records, which consisted of 28 adjustments,\nthe errors that led to these adjustments are not typical; therefore, the existing\ncontrols were not designed to address these types of items. Controls should be\nproactively reviewed on a periodic basis to determine if they address atypical\nsituations and if they could be strengthened to increase prevention or detection\nof errors and reduce adjustments.\n\nNumber of Adjustments During the Audit Period Decreased\nOur analysis of the 209 data records, which consisted of 551 adjustments made\nduring the audit period attributable to Revenue Billing and Power Billing, found\nfewer adjustments were made during the 10 months of FY2013 than each of the\nprevious two FY\xe2\x80\x99s in our audit period. We noted the total number of these\nadjustments decreased by 48 percent from FY2012 to July 31, 2013.\n\n\nAudit 2013-15106                                                              Page 5\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                              Audit Report\n\n\nTVA personnel stated monthly meetings began between the various groups\ninvolved in the billing process including: Customer Service, Pricing and\nContracts, Transmission, and Metering Services, in addition to Revenue Billing\nand Power Billing in January 2013. We were told they now review each of the\nprior month\xe2\x80\x99s adjustments, discuss the root cause of each adjustment, and\nidentify areas of high risk to determine if changes to controls need to occur or\nnew controls need to be implemented in these meetings. It appears these\nmonthly meetings are achieving the desired results based on the notable\ndecrease in the number of adjustments in the first 10 months of FY2013. As of\nJuly 31, 2013, the number of adjustments made by Power Billing and Revenue\nBilling had decreased 48 percent from FY2012.\n\nACCEPTABLE IT GENERAL AND APPLICATION LEVEL\nCONTROLS OVER ORACLE UTILITIES\nWe reviewed the SOX testing and corresponding results for IT general controls\nand IT application controls for data input, rejected transactions, and output. Our\nreviews of these controls indicated, overall, they were appropriate and adequate\nto detect/prevent invoice errors. However, we identified a manual control that, if\nautomated, could decrease the risk of improper adjustments and noted access\ncontrol should be reviewed and updated.\n\nAcceptable IT General Controls\nIT general controls apply to all system components, processes, and data, and\ntheir purpose is to ensure the proper development and implementation of\napplications (i.e., programs), as well as the integrity of programs, data files, and\ncomputer operations. To generate wholesale invoices, multiple systems are\nutilized to either collect, provide, or generate information during the billing invoice\nprocess. After kW and kWh meter readings are automatically collected and input\ninto the Itron Enterprise Edition (IEE)/Meter Data Management (MDM) system,\nthey are fed via the Billing Data Interchange (BDI) into Oracle Utilities where\nappropriate rates are applied. Other systems (e.g., Electric Sales Statistics and\nReal Time Pricing) feed data into Oracle Utilities that is used to calculate other\ncharges and credits, and then the LPC wholesale invoices are generated from\nOracle Utilities.\n\nTVA\xe2\x80\x99s SOX group tested four of the six IT general controls on a regular basis\nduring the audit period. TVA\xe2\x80\x99s SOX group did not test security planning or\nauditing/monitoring; however, the OIG tested security planning as part of\nAudit 2014-15059, Federal Information Security Management Act, and identified\nissues that TVA management indicated they will be addressing. Therefore, we\ndid not review security planning during this audit. The OIG tested auditing and\nmonitoring during this audit.\n\nFor the remaining four IT general controls, our review of SOX testing and\ncorresponding results indicated acceptable implementation governing the\noperation of the Oracle Utilities system. Based on our testing, our review of the\nAudit 2013-15106                                                                  Page 6\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                                     Audit Report\n\n\nSOX detail testing documentation, reperformance of selected SOX testing, and\nreview of SOX employee qualifications and independence, we determined we\ncould rely on the IT general controls unless our sample testing identified controls\nthat were not functioning properly. The five IT general controls tested by SOX\nand the OIG and the corresponding results are listed in Table 1 below.\n\n                        OIG Review of IT General Controls Testing\n                     Control                               Results of SOX Testing\n\n Change Control                               Acceptable\n\n Contingency Planning                         Acceptable\n\n Auditing and Monitoring                      Acceptable\n\n Configuration Management                     Tested as part of Change Control, Acceptable\n\n Access to Programs and Data                  Acceptable\n                                                                                       Table 1\n\nAcceptable IT Application Level Controls\nWe reviewed controls for data input, rejected transactions, and data output, (IT\napplication level controls). Our review of the IT input controls noted edit routines\nare a core part of the Oracles Utilities application and are how changes and/or\nadjustments to demand and energy data are made if needed. Automated\ncontrols, including change control processes and access controls, exist that\nprevent unauthorized changes to Oracle Utilities program functionality, such as\ncalculations and tables. Our review of the IT output controls indicated the\nwholesale invoices, which have confidential information, are protected on TVA\nOnline Connections from view and changes from unauthorized individuals.\nDuring our review of rejected transactions, we noted automated controls exist to\nnotify appropriate personnel that meter data transactions have been rejected or\nerrors have occurred.\n\nWhile these reviews indicated the application controls for data input, rejected\ntransactions, and output were appropriate and adequate to detect/prevent invoice\nerrors, we did note an area where improvement could be made. One input\ncontrol required different individuals\xe2\x80\x99 approval for various adjustment amounts.\nHowever, this is a manual control rather than an automated control allowing\nadjustments to be processed by the system without approval.\n\n\n\n\nAudit 2013-15106                                                                         Page 7\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                         Audit Report\n\n\nRECOMMENDATIONS\nWe recommend TVA\xe2\x80\x99s Vice President and Controller, Corporate Accounting, and\nthe Senior Vice President, Transmission, coordinate as appropriate to address\nthe following recommendations:\n\n1. Maintain e-mail approvals that document the rate change control was\n   performed as required for SOX testing, either on the share drive with\n   appropriate restricted access or hardcopy.\n\n    TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management agreed to maintain\n    e-mail approvals on the Revenue share drive that documents the rate change\n    control was performed. E-mail documentation was traditionally stored in this\n    manner for wholesale rate changes and, as of March 2013, the monthly rate\n    change e-mails are stored in this manner as well. (See Appendix B for\n    management\xe2\x80\x99s complete response.)\n\n    Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s response\n    and no further action is necessary.\n\n2. Periodically review Power Billing\xe2\x80\x99s controls to determine if they address\n   atypical situations and/or could be strengthened to increase prevention or\n   detection of errors and reduce adjustments.\n\n    TVA Management\xe2\x80\x99s Comments \xe2\x80\x93TVA management stated the Meter to\n    Cash team that meets on a monthly basis discusses each of the prior month\n    and pending adjustments and looks at the root cause of each to determine if\n    the controls in place are working properly or need to be modified. Power\n    Billing and Revenue\xe2\x80\x99s controls are being evaluated and strengthened when\n    needed through this team effort. Additionally, the Power Billing group has\n    internal team meetings monthly to discuss and brainstorm around any\n    metering issues that have come up in the past month. Beginning with the roll\n    forward testing period in October 2014, all SOX controls for Revenue and\n    Power Billing have moved to a management testing model conducted by the\n    Senior Program Manager, Revenue Quality. This will ensure that each\n    control for both groups is being monitored internally and updated or revised\n    as needed. (See Appendix B for management\xe2\x80\x99s complete response.)\n\n    Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG acknowledges and concurs the monthly\n    Meter to Cash meetings are beneficial; however, this is a reactive control\n    because issues are addressed only after they have occurred. The OIG\n    concurs with TVA management\xe2\x80\x99s plans for implementing the management\n    testing model for the SOX controls by the Senior Program Manager, Revenue\n    Quality, where each control is monitored and updated or revised as needed.\n\n\n\n\nAudit 2013-15106                                                             Page 8\n\n                                  TVA RESTRICTED INFORMATION\n\x0cOffice of the Inspector General                                           Audit Report\n\n\n3. Implement automated controls requiring appropriate approvals for\n   adjustments based on established threshold amounts.\n\n    TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management stated that as of May\n    2014, TVA has automated invoice adjustments associated with the revenue\n    for kW and kWh. The automation should alleviate the concerns around the\n    tiered review process since the majority of adjustments (dollar and volume\n    related) will now be handled systematically. The current tiered review\n    process will stay in place for any one-off adjustments that have to be made\n    manually. (See Appendix B for management\xe2\x80\x99s complete response.)\n\n    Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s actions\n    and no further action is necessary.\n\nWe recommend TVA\xe2\x80\x99s Vice President and Controller, Corporate Accounting, and\nthe Vice President, Pricing and Contracts, coordinate as appropriate, and:\n\n4. Automate the transmission of rate changes to Oracle Utilities from source\n   systems. If automating transmission of rate changes is not considered cost\n   beneficial, we recommend implementing one common set of rate\n   classification descriptions to increase the efficiency of updating the rates as\n   well as reduce the risk of manual input errors.\n\n    TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 TVA management agreed to move\n    forward with the automation of rate changes to Lodestar from the source\n    system. Automation of this process was being explored prior to the OIG\n    audit, and Revenue Billing has participated in a working discussion with the IT\n    department on how to attain this goal. The new process should be\n    implemented no later than December 2014. (See Appendix B for\n    management\xe2\x80\x99s complete response.)\n\n    Auditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concurs with TVA management\xe2\x80\x99s planned\n    actions.\n    .\n\n\n\n\nAudit 2013-15106                                                               Page 9\n\n                                  TVA RESTRICTED INFORMATION\n\x0c                                                                     APPENDIX A\n                                                                      Page 1 of 4\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nOur audit objectives were to determine if: (1) wholesale invoices were calculated\ncorrectly, (2) controls to prevent/detect invoice errors were adequate, and\n(3) Oracle Utilities (previously Lodestar) had appropriate/adequate information\ntechnology (IT) general and application controls. We performed the following to\naccomplish our objectives:\n\n\xef\x82\xb7   To determine if wholesale invoices were calculated correctly, we:\n    \xef\x80\xad Pulled a random sample of 20 out of 4,340 (0.5 percent) wholesale local\n       power company (LPC) invoices, and:\n\n       1. Initially, we selected a statistical random sample of 203 out of\n          4,340 wholesale LPC invoices (4.6 percent of population). However,\n          after we began tracing all components of each invoice, we realized it\n          would take much longer to verify all 203 sample invoices than originally\n          estimated based on our available resources. Therefore, we decided to\n          pull a nonstatistical random sample of 20 invoices from the random\n          statistical sample of 203 invoices to test. We determined the demand\n          and energy charges on the 20 sample invoices was 99.6 percent of the\n          total dollar charges on the invoices (not including credits), and\n          93.2 percent of the absolute total dollar value of the invoices (including\n          credits). We decided we would evaluate whether or not we should\n          expand the sample and perform additional invoice testing based on our\n          testing results from verifying the total demand and energy charges on\n          the 20 invoices. We found no errors associated with the demand and\n          energy rates on the 20 invoices and determined those demand and\n          energy rates represented 55 percent of the \xe2\x80\x9cstandard product\xe2\x80\x9d demand\n          and energy rates available to the LPCs during the audit period. Based\n          on our testing results, we determined additional testing of invoices was\n          not necessary. Because we did not verify the information on the entire\n          statistical sample (203 invoices), we did not project the sample results\n          to the population.\n\n       2. Verified demand and energy rates on the 20 sample invoices by\n          obtaining source documentation (e.g., wholesale contracts and rate\n          schedules) and recalculating the rate.\n\n       3. Verified the credits and other charges (nondemand/nonenergy) by\n          obtaining source documentation (e.g., customer contracts and\n          agreements for credit programs, such as Enhanced Growth Credit and\n          Small Manufacturing Credit) and recalculated the amounts. For\n          Minimum Bill Adjustments, Enhanced Growth Credits, Generation\n          Partners (credits), and Green Power (credits), we recalculated the\n          components listed on the invoice and obtained applicable supporting\n          documentation maintained by the Tennessee Valley Authority (TVA)\n          without exception. We did not obtain the applicable individual end-use\n          customer contracts and/or data maintained only at the LPC.\n                            TVA RESTRICTED INFORMATION\n\x0c                                                                    APPENDIX A\n                                                                     Page 2 of 4\n\n          For Discounted Energy Unit (credits) and Start-up and Testing Power\n          Margin (adjustments) we obtained supporting documentation\n          (spreadsheets) from TVA personnel and traced the amount to the\n          invoice without exception. We did not verify all components of the\n          spreadsheet or recalculate the amounts because of the complexity of\n          the calculations, and the amounts for these six credits and other\n          charges represented less than 0.3 percent of the total amount billed on\n          the invoice.\n\n       4. Reviewed documentation regarding how rate changes are tracked\n          and entered for billing purposes. We tested the manual Sarbanes-\n          Oxley (SOX) control regarding rate change verification for rates\n          applicable to the sample of 20 invoices.\n\n\xef\x82\xb7   To determine if controls to prevent/detect invoice errors were adequate, we:\n    \xef\x80\xad Obtained an understanding of the processes and procedures related to\n       TVA Revenue Billing and invoicing of LPCs. To accomplish this, we:\n\n       1. Obtained and reviewed organizational charts applicable to the audit\n          period.\n\n       2. Interviewed the senior manager, manager, program manager, and\n          other relevant personnel of Revenue Billing and Power Billing.\n\n       3. Obtained and reviewed TVA\xe2\x80\x99s Standard Programs and\n          Processes (SPP); TVA-SPP-13.60, Revenue (effective November 7,\n          2012), and FSO-SPP 13.62, Power Billing (Draft version).\n\n       4. Obtained and reviewed TVA-SPP-13.064, TVA Meter to Cash Process\n          (effective October 1, 2013), after the audit period.\n\n       5. Obtained documentation and created a flowchart of the various\n          systems.\n\n    \xef\x80\xad Obtained information on SOX PMO controls and/or processes in place to\n      prevent/detect invoice errors by interviewing key personnel.\n    \xef\x80\xad Obtained a listing of all invoice adjustments identified during the audit\n      period, determined which adjustments were specifically the responsibility\n      of either Revenue Billing or Power Billing (209 data records, which\n      consisted of 551 adjustments), and chose a sample of 20 data records\n      (10.45 percent). We determined we would use nonstatistical, random\n      sampling rather than statistical due to the small population. Therefore, we\n      did not project the sample results to the population. For that sample of\n      20 data records, which was 48 adjustments, we determined:\n\n       1. Why the error occurred,\n\n       2. How the error was identified, and\n\n       3. Whether or not the appropriate action was taken.\n                           TVA RESTRICTED INFORMATION\n\x0c                                                                       APPENDIX A\n                                                                        Page 3 of 4\n\n    \xef\x80\xad Discussed controls in place with Revenue Billing and Power Billing to see\n      if any were in place to identify repeat errors.\n\xef\x82\xb7   To determine if Oracle Utilities had appropriate/adequate IT general controls,\n    we reviewed and summarized TVA\xe2\x80\x99s SOX detail testing results, performed\n    testing, reviewed applicable policies and procedures, and discussed\n    procedures with Revenue Billing and Power Billing personnel for IT general\n    controls to determine if controls were in place for:\n\n    1. Change Control \xe2\x80\x93 Reviewed SOX testing.\n\n    2. Contingency Planning \xe2\x80\x93 Reviewed SOX testing.\n\n    3. Auditing and Monitoring \xe2\x80\x93 The Office of the Inspector General tested.\n\n    4. Configuration Management \xe2\x80\x93 Reviewed SOX testing.\n\n    5. Access to Programs and Data \xe2\x80\x93 Reviewed SOX testing.\n\n    Based on our testing, our review of the SOX detail testing documentation,\n    reperformance of selected SOX testing, and review of SOX employee\n    qualifications and independence, we determined we could rely on the IT\n    general controls and application controls unless our sample testing identified\n    controls that were not functioning properly.\n\n    Our audit of Oracle Utilities general IT controls did not include controls related\n    to System Planning/Risk Assessment. These controls were reviewed by the\n    Office of the Inspector General in Audit 2014-15059, Federal Information\n    Security Management Act, which identified issues TVA management has\n    indicated they will be addressing.\n\xef\x82\xb7   To determine if Oracle Utilities had appropriate/adequate application controls\n    for:\n\n    1. Data Input \xe2\x80\x93 We determined where the invoice inputs originated, who\n       approved the invoices, and what controls existed to ensure all LPCs were\n       invoiced, and the correct demand and energy amounts were billed. This\n       included gaining an understanding of and testing data (IT) input\n       procedures. Specifically, we obtained the approval levels and determined\n       whether the responsibility assigned for verifying appropriate approvals\n       were consistently applied. We also determined whether individuals\n       responsible for entering data had been trained on the preparation, entry,\n       and control of input; edit routines were embedded within the application;\n       and controls existed to prevent unauthorized changes to the system.\n\n    2. Rejected Transactions \xe2\x80\x93 We verified transaction controls were in place to\n       notify the process owner when transactions were rejected or errors\n       occurred, and reports existed to identify and track reprocessing of rejected\n       transactions.\n                             TVA RESTRICTED INFORMATION\n\x0c                                                                      APPENDIX A\n                                                                       Page 4 of 4\n\n    3. Data Output \xe2\x80\x93 We obtained data output procedures and verified\n       individuals responsible for data entry were trained and verified the data\n       output. We also verified the output: (a) was reviewed against source\n       documents and (b) for sensitive or confidential information and how it is\n       protected.\n\nWhen evaluating the results of our audit work, we used both quantitative and\nqualitative factors when considering the significance of an item. The quantitative\nfactor we considered in determining an item\xe2\x80\x99s significance was:\n\n\xef\x82\xb7   If the dollar value of an error(s) exceeds 0.5 percent of TVA\xe2\x80\x99s 2012 revenue it\n    would be considered significant; therefore, the threshold for quantitative\n    significance is $47.5 million.\n\nThe qualitative factor(s) we considered in determining an item\xe2\x80\x99s significance\nwere:\n\n\xef\x82\xb7   If TVA gives preferential treatment to certain distributors, or\n\xef\x82\xb7   If the item impacts TVA revenue or reputation by violating policies and\n    procedures or Power Contracts.\n\nOur audit scope included all wholesale invoices from April 1, 2011, through\nJuly 31, 2013, billed to the 155 LPCs and the controls applicable to preparing the\ninvoices during the audit period. Our scope did not include verifying the\ncompleteness and accuracy of the meter readings imported into Oracle for\ndemand and energy. Our fieldwork was conducted between August 2013 and\nJuly 2014.\n\nThis performance audit was conducted in accordance with generally accepted\ngovernment auditing standards. Those standards require we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n\n\n\n                             TVA RESTRICTED INFORMATION\n\x0c                             APPENDIX B\n                              Page 1 of 3\n\n\n\n\nTVA RESTRICTED INFORMATION\n\x0c                             APPENDIX B\n                              Page 2 of 3\n\n\n\n\nTVA RESTRICTED INFORMATION\n\x0c                             APPENDIX B\n                              Page 3 of 3\n\n\n\n\nTVA RESTRICTED INFORMATION\n\x0c'